- 30 Sep, 2013 3 commits
-
-
Jozsef Kadlecsik authored
In order to support hash:net,net, hash:net,port,net etc. types, arrays are introduced for the book-keeping of existing cidr sizes and network numbers in a set. Signed-off-by:Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
-
Jozsef Kadlecsik authored
Signed-off-by: -
Jozsef Kadlecsik authored
Reported-by:
David Laight <David.Laight@ACULAB.COM> Signed-off-by:
-
- 16 Sep, 2013 1 commit
-
-
Jozsef Kadlecsik authored
The "nomatch" commandline flag should invert the matching at testing, similarly to the --return-nomatch flag of the "set" match of iptables. Until now it worked with the elements with "nomatch" flag only. From now on it works with elements without the flag too, i.e: # ipset n test hash:net # ipset a test 10.0.0.0/24 nomatch # ipset t test 10.0.0.1 10.0.0.1 is NOT in set test. # ipset t test 10.0.0.1 nomatch 10.0.0.1 is in set test. # ipset a test 192.168.0.0/24 # ipset t test 192.168.0.1 192.168.0.1 is in set test. # ipset t test 192.168.0.1 nomatch 192.168.0.1 is NOT in set test. Before the patch the results were ... # ipset t test 192.168.0.1 192.168.0.1 is in set test. # ipset t test 192.168.0.1 nomatch 192.168.0.1 is in set test. Signed-off-by:
-
- 29 Apr, 2013 4 commits
-
-
Jozsef Kadlecsik authored
The new revision of the set match supports to match the counters and to suppress updating the counters at matching too. At the set:list types, the updating of the subcounters can be suppressed as well. Signed-off-by:
Pablo Neira Ayuso <pablo@netfilter.org>
-
Jozsef Kadlecsik authored
Signed-off-by:
-
Jozsef Kadlecsik authored
Introduce extensions to elements in the core and prepare timeout as the first one. This patch also modifies the em_ipset classifier to use the new extension struct layout. Signed-off-by:
-
Jozsef Kadlecsik authored
Signed-off-by:
-
- 09 Oct, 2012 1 commit
-
-
David Howells authored
Signed-off-by:
David Howells <dhowells@redhat.com> Acked-by:
Arnd Bergmann <arnd@arndb.de> Acked-by:
Thomas Gleixner <tglx@linutronix.de> Acked-by:
Michael Kerrisk <mtk.manpages@gmail.com> Acked-by:
Paul E. McKenney <paulmck@linux.vnet.ibm.com> Acked-by:
Dave Jones <davej@redhat.com>
-
- 22 Sep, 2012 3 commits
-
-
Jozsef Kadlecsik authored
Exceptions can now be matched and we can branch according to the possible cases: a. match in the set if the element is not flagged as "nomatch" b. match in the set if the element is flagged with "nomatch" c. no match i.e. iptables ... -m set --match-set ... -j ... iptables ... -m set --match-set ... --nomatch-entries -j ... ... Signed-off-by: -
Jozsef Kadlecsik authored
Signed-off-by: -
Jozsef Kadlecsik authored
Signed-off-by:
-
- 15 Apr, 2012 1 commit
-
-
Eric Dumazet authored
Use of "unsigned int" is preferred to bare "unsigned" in net tree. Signed-off-by:
Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by:
David S. Miller <davem@davemloft.net>
-
- 02 Apr, 2012 1 commit
-
-
David S. Miller authored
These macros contain a hidden goto, and are thus extremely error prone and make code hard to audit. Signed-off-by:
-
- 07 Mar, 2012 3 commits
-
-
Jozsef Kadlecsik authored
The "nomatch" keyword and option is added to the hash:*net* types, by which one can add exception entries to sets. Example: ipset create test hash:net ipset add test 192.168.0/24 ipset add test 192.168.0/30 nomatch In this case the IP addresses from 192.168.0/24 except 192.168.0/30 match the elements of the set. Signed-off-by: -
Jan Engelhardt authored
iptables's libxt_SET.c depends on these. Signed-off-by:
Jan Engelhardt <jengelh@medozas.de> Signed-off-by:
-
Jan Engelhardt authored
ipset is actually using NFPROTO values rather than AF (xt_set passes that along). Signed-off-by:
-
- 16 Jun, 2011 9 commits
-
-
Jozsef Kadlecsik authored
Signed-off-by:
Patrick McHardy <kaber@trash.net>
-
Jozsef Kadlecsik authored
The hash:net,iface type makes possible to store network address and interface name pairs in a set. It's mostly suitable for egress and ingress filtering. Examples: # ipset create test hash:net,iface # ipset add test 192.168.0.0/16,eth0 # ipset add test 192.168.0.0/24,eth1 Signed-off-by: -
Jozsef Kadlecsik authored
With the change the sets can use any parameter available for the match and target extensions, like input/output interface. It's required for the hash:net,iface set type. Signed-off-by:
-
Jozsef Kadlecsik authored
The range internally is converted to the network(s) equal to the range. Example: # ipset new test hash:net # ipset add test 10.2.0.0-10.2.1.12 # ipset list test Name: test Type: hash:net Header: family inet hashsize 1024 maxelem 65536 Size in memory: 16888 References: 0 Members: 10.2.1.12 10.2.1.0/29 10.2.0.0/24 10.2.1.8/30 Signed-off-by:
-
Jozsef Kadlecsik authored
A set type may have multiple revisions, for example when syntax is extended. Support continuous revision ranges in set types. Signed-off-by:
-
Jozsef Kadlecsik authored
When ranges are added to hash types, the elements may trigger rehashing the set. However, the last successfully added element was not kept track so the adding started again with the first element after the rehashing. Bug reported by Mr Dash Four. Signed-off-by:
-
Jozsef Kadlecsik authored
Current listing makes possible to list sets with full content only. The patch adds support partial listings, i.e. listing just the existing setnames or listing set headers, without set members. Signed-off-by:
-
Jozsef Kadlecsik authored
The support makes possible to specify the timeout value for the SET target and a flag to reset the timeout for already existing entries. Signed-off-by:
-
Jozsef Kadlecsik authored
When an element to a set with timeout added, one can change the timeout by "readding" the element with the "-exist" flag. That means the timeout value is reset to the specified one (or to the default from the set specification if the "timeout n" option is not used). Example ipset add foo 1.2.3.4 timeout 10 ipset add foo 1.2.3.4 timeout 600 -exist Signed-off-by:
-
- 04 Apr, 2011 1 commit
-
-
Jozsef Kadlecsik authored
The timeout variant of the list:set type must reference the member sets. However, its garbage collector runs at timer interrupt so the mutex protection of the references is a no go. Therefore the reference protection is converted to rwlock. Signed-off-by:
-
- 29 Mar, 2011 1 commit
-
-
Jozsef Kadlecsik authored
The timeout variant of the list:set type must reference the member sets. However, its garbage collector runs at timer interrupt so the mutex protection of the references is a no go. Therefore the reference protection is converted to rwlock. Signed-off-by:
-
- 01 Feb, 2011 1 commit
-
-
Jozsef Kadlecsik authored
The patch adds the IP set core support to the kernel. The IP set core implements a netlink (nfnetlink) based protocol by which one can create, destroy, flush, rename, swap, list, save, restore sets, and add, delete, test elements from userspace. For simplicity (and backward compatibilty and for not to force ip(6)tables to be linked with a netlink library) reasons a small getsockopt-based protocol is also kept in order to communicate with the ip(6)tables match and target. The netlink protocol passes all u16, etc values in network order with NLA_F_NET_BYTEORDER flag. The protocol enforces the proper use of the NLA_F_NESTED and NLA_F_NET_BYTEORDER flags. For other kernel subsystems (netfilter match and target) the API contains the functions to add, delete and test elements in sets and the required calls to get/put refereces to the sets before those operations can be performed. The set types (which are implemented in independent modules) are stored in a simple RCU protected list. A set type may have variants: for example without timeout or with timeout support, for IPv4 or for IPv6. The sets (i.e. the pointers to the sets) are stored in an array. The sets are identified by their index in the array, which makes possible easy and fast swapping of sets. The array is protected indirectly by the nfnl mutex from nfnetlink. The content of the sets are protected by the rwlock of the set. There are functional differences between the add/del/test functions for the kernel and userspace: - kernel add/del/test: works on the current packet (i.e. one element) - kernel test: may trigger an "add" operation in order to fill out unspecified parts of the element from the packet (like MAC address) - userspace add/del: works on the netlink message and thus possibly on multiple elements from the IPSET_ATTR_ADT container attribute. - userspace add: may trigger resizing of a set Signed-off-by:
-
